Krebs on Security

In-depth security news and investigation

Sources: Credit Card Breach at California DMV

The California Department of Motor Vehicles appears to have suffered a wide-ranging credit card data breach involving online payments for DMV-related services, according to banks in California and elsewhere that received alerts this week about compromised cards that all had been previously used online at the California DMV.

The alert, sent privately by MasterCard to financial institutions this week, did not name the breached entity but said the organization in question experienced a “card-not-present” breach — industry speak for transactions conducted online. The alert further stated that the date range of the potentially compromised transactions extended from Aug. 2, 2013 to Jan. 31, 2014, and that the data stolen included the card number, expiration date, and three-digit security code printed on the back of cards.

Five different financial institutions contacted by this publication — including two mid-sized banks in California — confirmed receipt of the MasterCard notice, and said that all of the cards MasterCard alerted them about as compromised had been used for charges bearing the notation “STATE OF CALIF DMV INT”.

A representative from MasterCard, speaking on background, confirmed sending out an alert this week. According to bank sources, Visa has not sent out a similar alert. A Visa spokesperson said “Visa cannot comment on potential third party data compromises or ongoing investigations.”

Contacted about the alerts early Friday afternoon pacific time, California DMV Spokesperson Jessica Gonzalez said the agency would investigate the matter. Reached again at 6:30 p.m. PT (well after DMV business hours on a Friday), Ms. Gonzalez said her office was working late as a result of the inquiry from KrebsOnSecurity. She said the agency was still in the process of getting a statement approved, but that it planned to email the statement later that evening. So far, however, the California DMV has yet to issue a statement or respond to further requests for comment.

Update, 6:44 p.m. ET: The CA DMV just issued the following statement, which placed blame for the incident on the organization’s external card processing firm:

“The Department of Motor Vehicles has been alerted by law enforcement authorities to a potential security issue within its credit card processing services.”

” There is no evidence at this time of a direct breach of the DMV’s computer system. However, out of an abundance of caution and in the interest of protecting the sensitive information of California drivers, the DMV has opened an investigation into any potential security breach in conjunction with state and federal law enforcement.”

“In its investigation, the department is performing a forensic review of its systems and seeking information regarding any potential breach from both the external vendor that processes the DMV’s credit card transactions and the credit card companies themselves.”

The CA DMV did not say who their card processor is, but this document from the California Department of General Services seems to suggest that the processor is Elavon, a company based in Atlanta, Ga. Representatives for Elavon could not be immediately reached for comment [hat tip to @walshman23 for finding this document].

Update, Mar. 24, 10:54 a.m.: Elavon officials could not be reached for comment. But a spokesperson for Elavon parent firm U.S. Bank told this publication that “there has been NO confirmation of a breach. We are in touch with the CA-DMV and the authorities to determine if there is an issue.”

Original story:

If indeed the California DMV has suffered a breach of their online payments system, it’s unclear how many card numbers may have been stolen. But the experience of one institution that received the MasterCard alert this week may offer some perspective.

The alert was tailored for individual banks, including a list of the credit and debit card numbers that each bank had potentially exposed. One California bank that received the alert said the notice included a list of more than 1,000 cards that the bank had issued to customers. To put that in perspective, this same bank had just over 3,000 cards impacted by the breach at Target late last year, and that was a break-in that ultimately jeopardized more than 40 million card numbers at banks nationwide.

“We’re seeing two percent of our card base compromised as a result of this, and our cards are 100 percent concentrated here in California,” said a source at the small state bank, who declined to be named because he did not have permission to speak on the record. “That’s still a big number, and it’s a huge exposure window.”

According to the latest statistics released by the California DMV, Californians conducted more than 11.9 million online transactions with the agency in 2012, a 6 percent increase over 2011.

Also unclear is whether the apparent breach affecting the CA DMV may have involved the theft of additional, more sensitive personal information on Californians, such as Drivers License and Social Security numbers, email and physical addresses, phone numbers and other personal data.

Update, 4:05 p.m. ET: Modified the opening paragraph to make it clearer that this is a breach involving online transactions, not at California DMV physical locations (which don’t accept credit cards anyway). Also, the CA DMV has released a Frequently Asked Questions (FAQ) page about this incident.

This entry was posted on Saturday, March 22nd, 2014 at 12:05 pm and is filed under A Little Sunshine, Data Breaches.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

140 comments

So since there is pretty much a guarantee that everyone’s credit, social security, and personal information is leaked and abused at will, how does one go about starting a new identity from scratch? The system has become unusable so how do we get a new one without all the same old mess as the old one?

I agree there is no point changing one’s identity – seems like they will just have to come up with better and better authentication schemes, that work with less and less chance of being compromised.

I still feel a change in PCI standards may help for years to come, but the industry will at least have to admit they will be playing catch up the whole time. I really don’t believe they will ever actually be completely ahead of the criminals.

I am thinking more along the lines of why bother using a ‘real’ one anymore. The framework of identities is pretty well busted and seems like the normal sap gets punished for trying to conform while the banks and crooks keep changing the rules at a whim and make out like bandits. Maybe I’m just cynical or watched one too many netflix documentaries, but it seems like society is coming apart and our leaders do nothing while the banks and financial sectors take full advantage of every last dollar they can wring from our pre-corpses.

I once called for a system, where your ID would be behind a veritable Ft. Knox, then a shadow ID would be issued that was only tied to the real one through some kind of technical scheme – I’ll leave that to the experts.

I’ve also see good arguments from people smarter than me, that all they need is a Real ID that cannot be corrupted and simply improve the security involved in attaching it to a financial device. When I say Real ID, I mean one like a drivers license, that cannot be copied, or would be so expensive to copy that it would be cost prohibitive to try.

Congress tried to pass a Real ID act so that employers could finally cover their behinds from hiring illegal aliens and getting fined for it. The problem was there was no carrot in the law, only a stick – states powers trumped federal in this case and the whole scheme was dropped. I don’t know if they will ever try it again with the hot button immigration reform issues out there.

As it turns out, punishing employers for hiring illegal aliens with fake IDs has not worked out. They can always duck the charges because of the fact that faking the ID is too easy, and it looks totally legitimate – in fact some of them are tied to actual persons who passed away. So you also have the problem of fake ID splattered all over the system, which I’d wager is also complicating the financial side of this, as much as the type of credit card theft we see here at KOS.

The article states that Elavon is the DMV’s merchant credit card processor, but that is not necessarily the same thing as the “external vendor that processes the DMV’s credit card transactions”. To avoid PCI hassles, the DMV may have hired a different vendor (a payment gateway) on whose website the actual payment transactions were entered. Those transactions are then sent to Elavon for approval and capture. So the question may actually be: Does the California DMV use a payment gateway and was the gateway breached?

I’ve had my ATM card skimmed while at the Escondido DMV. It was a card I rarely use and a day after I paid for my registration at the DMV, it was used on iTunes for $50. I called the Escondido DMV and the main Sacramento number and I couldn’t get anyone to investigate this. I called the bank and reported it and the money was replaced. But I don’t have any iDevices or an Apple account and would never EVER buy anything from iTunes.

I bought two bottles of laundry soap at Target incident on Thanksgiving weekend, and when that news story hit I called my credit card company and had the card replaced.

Because the state’s press release about the DMV incident said that we would be notified if affected by the DMV credit breach, I didn’t proactively cancel my credit card, even though I paid a vehicle registration online during the time frame of the DMV snafu.

Now (about 3 months after paying the DMV fee online), I see two unauthorized purchases on the card statement for odd amounts around $55 and just under $100. The vendor is down in LA and the charges were for online purchases, but “of course” the credit card company will not tell me where those purchases were mailed–I doubt law enforcement will follow up on it. Now I again have had to go through the process of cancelling the card and waiting for a replacement, plus the card company advises that I make a police report. I sure hope this is the end of it!

I just received my BOA Visa credit card statement today, with $157 charge from CA DMV. I don’t live in CA, but on the East coast. I NEVER had a fraudulent charge on any credit card until this CA DMV charge. As we can see charges are being made to anybody, anywhere. This should be nationally advised, since it’s not a local in-state problem.